This feature was introduced on the Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ

This feature was introduced on the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T

This feature was integrated into Cisco IOS Release 12.3(4)T.

12.3(5)

This feature was revised to include support for the AIM-VPN/EPII, AIM-VPN/HPII family of encryption modules and was integrated into Cisco IOS Release 12.3(5).

12.3(6)

This feature was revised to include support for the AIM-VPN/BPII-Plus on the 2600XM encryption modules and was integrated into Cisco IOS Release 12.3(6).

12.3(7)T

This feature was revised to include support for the AIM-VPN/BPII-Plus family of encryption modules and was integrated into Cisco IOS Release 12.3(7)T.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

How to Configure DES/3DES/AES VPN Encryption Module

There are no configuration tasks specific to the encryption hardware. Both software-based and hardware-based encryption are configured in the same way. The system automatically detects the presence of an encryption module at bootup and uses it to encrypt data. If no encryption hardware is detected, software is used to encrypt data.

RFCs

RFCs

Title

2401-2410

IPSec AH, ESP

2401-2411

IPsec/IKE

2401-2451

IPsec/IKE

AES (NIST)

Advanced Encryption Standard and The National Institute of Standards and Technology

Technical Assistance

Description

Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

clear crypto engine accelerator counter

To reset the statistical and error counters for a router's hardware accelerator to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.

clear crypto engine accelerator counter

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release

Modification

12.1(3)XL

This command was introduced for the Cisco uBR905 cable access router.

12.2(2)XA

Support was added for the Cisco uBR925 cable access router.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII & AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ

This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Examples

The following example shows the router's statistical and error counters being cleared to zero:

Router# clear crypto engine accelerator counter

Related Commands

Command

Description

crypto ca

Defines the parameters for the certification authority used for a session.

crypto cisco

Defines the encryption algorithms and other parameters for a session.

crypto dynamic-map

Creates a dynamic map crypto configuration for a session.

crypto engine accelerator

Enables the use of the onboard hardware accelerator for IPSec encryption.

crypto ipsec

Defines the IPSec security associations and transformation sets.

crypto isakmp

Enables and defines the IKE protocol and its parameters.

crypto key

Generates and exchanges keys for a cryptographic session.

crypto map

Creates and modifies a crypto map for a session.

debug crypto engine accelerator control

Displays each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Displays information about each packet sent for encryption and decryption.

show crypto engine accelerator ring

Displays the contents of command and transmits rings for the crypto engine.

show crypto engine accelerator sa-database

Displays the active entries in the crypto engine SA database.

show crypto engine accelerator statistic

Displays the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Displays a summary of the configuration information for the crypto engine.

show crypto engine configuration

Displays the version and configuration information for the crypto engine.

show crypto engine connections

Displays a list of the current connections maintained by the crypto engine.

crypto engine accelerator

To enable a router's onboard hardware accelerator for IPSec encryption, use the crypto engine accelerator command in global configuration mode. To disable the use of the onboard hardware IPSec accelerator, and thereby perform IPSec encryption/decryption in software, use the no form of this command.

crypto engine accelerator

no crypto engine accelerator

Syntax Description

This command has no arguments or keywords.

Defaults

The hardware accelerator for IPSec encryption is enabled.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(3)T

This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPSec encryption.

12.1(3)XL

Support was added for the Cisco uBR905 cable access router.

12.2(2)XA

Support was added for the Cisco uBR925 cable access router.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII & AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ

This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

This command is not normally needed for typical operations because the router's onboard hardware accelerator for IPSec encryption is enabled by default. The hardware accelerator should not be disabled except on instruction from Cisco TAC personnel.

Examples

The following example shows how to enable the router's onboard hardware accelerator for IPSec encryption. This operation is normally needed only after the accelerator has been disabled for testing or debugging purposes.

Router(config)# no crypto engine accel

Warning! all current connections will be torn down.

Do you want to continue? [yes/no]:

Related Commands

Command

Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator to zero.

crypto ca

Defines the parameters for the certification authority used for a session.

crypto cisco

Defines the encryption algorithms and other parameters for a session.

crypto dynamic-map

Creates a dynamic map crypto configuration for a session.

crypto ipsec

Defines the IPSec security associations and transformation sets.

crypto isakmp

Enables and defines the IKE protocol and its parameters.

crypto key

Generates and exchanges keys for a cryptographic session.

crypto map

Creates and modifies a crypto map for a session.

debug crypto engine accelerator control

Displays each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Displays information about each packet sent for encryption and decryption.

show crypto engine accelerator ring

Displays the contents of command and transmits rings for the crypto engine.

show crypto engine accelerator sa-database

Displays the active entries in the crypto engine SA database.

show crypto engine accelerator statistic

Displays the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Displays a summary of the configuration information for the crypto engine.

show crypto engine configuration

Displays the version and configuration information for the crypto engine.

show crypto engine connections

Displays a list of the current connections maintained by the crypto engine.

show crypto engine

To displays a summary of the configuration information for the crypto engines, use the show crypto engine command in privileged EXEC mode.

show crypto engine [brief | configuration]

Syntax Description

brief

Displays a summary of the configuration information for the crypto engine.

configuration

Displays the version and configuration information for the crypto engine.

Command Modes

Privileged EXEC

Command History

Release

Modification

11.2

This command was introduced on the Cisco 7200, RSP7000, and 7500 series routers.

12.2(15)ZJ

This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

This command displays all crypto engines and displays the AIM-VPN product name.

Examples

The following example of show crypto engine brief shows typical crypto engine information:

Number of packets passed to the VPN module for either encryption or decryption.

packets out

Number of packets returned from the VPN module to IPSEC. This would include packets with errors.

bytes in

Number of payload bytes passed to the VPN Module. This does not include encryption header or trailer bytes.

bytes out

Number of payload bytes passed by the VPN Module. This does not include encryption header or trailer bytes.

packets decrypted

Number of packets passed to VPN module to be decrypted.

packets encrypted

Number of packets passed to VPN module to be encrypted.

bytes before decrypt

Number of payload bytes decrypted by the VPN Module, including encryption header and trailer bytes.

bytes encrypted

Number of payload bytes encrypted by the VPN Module. This does not include encryption header or trailer bytes.

bytes decrypted

Number of payload bytes decrypted by the VPN Module. This does not include encryption header or trailer bytes.

bytes after encrypt

Number of payload bytes encrypted by the VPN Module, including encryption header and trailer bytes.

packets decompressed

Number of packets that were decompressed by the interface.

packets compressed

Number of packets that were compressed by the interface.

bytes before decomp

Number of payload bytes decompressed by the VPN Module, including encryption header and trailer bytes.

bytes before comp

Number of payload bytes decompressed by the VPN Module. Not including encryption header and trailer bytes.

bytes after decomp

Number of payload bytes compressed by the VPN Module. Not including encryption header and trailer bytes.

bytes after comp

Number of payload bytes compressed by the VPN Module, including encryption header and trailer bytes.

packets bypass decompr

Number of packets that were not decompressed by the compression algorithm on the originating router.

packets bypass compres

Number of packets that were not compressed by the compression algorithm because they were too short.

bytes bypass decompres

The Number of bytes in the payload that correspond to the number of bytes in packets bypass decompression.

bytes bypass compressi

Number of bytes in the packets that were not compressed by the originating router because they were too short.

packets not decompress

Number of bytes in the packets that were not decompressed by the compression algorithm on the originating router due to expansion.

packets not compressed

Number of packets that were not compressed because the packets were too short.

bytes not decompressed

The number of bytes in the packets that were counted in the bytes bypass decompresion counter.

bytes not compressed

The number of bytes in the packets that were counted in the packets not compressed counter.

compression ratio

Ratio of compression and decompression of packets presented to the compression algorithm that were successfully compressed or decompressed. This statistic measures the efficiency of the algorithm for all packets that were compressed or decompressed.

overall

Ratio of compression and decompression of packets presented to the compression algorithm including those that were not compressed. This measures the compression efficiency of all packets on the tunnel.

commands out

The number of requests that have been made to the AIM-VPN card.

commands acknowledged

The number of responses that have been handled by the AIM-VPN card.

The following example shows typical output of the Cisco 2600 and Cisco 3600 VPN Modules. Note the current statistics, error counters, and associated error numbers that may be returned to the console:

Tip In Cisco IOS Release 12.2(8)T and later releases, you can add a time stamp to show commands that use the EXEC prompt timestamp command in line configuration mode.

Related Commands

Command

Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator to zero.

crypto ca

Defines the parameters for the certification authority used for a session.

crypto cisco

Defines the encryption algorithms and other parameters for a session.

crypto dynamic-map

Creates a dynamic map crypto configuration for a session.

crypto engine accelerator

Enables the use of the onboard hardware accelerator for IPSec encryption.

crypto ipsec

Defines the IPSec security associations and transformation sets.

crypto isakmp

Enables and defines the IKE protocol and its parameters.

crypto key

Generates and exchanges keys for a cryptographic session.

crypto map

Creates and modifies a crypto map for a session.

debug crypto engine accelerator control

Displays each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Displays information about each packet sent for encryption and decryption.

show crypto engine accelerator sa-database

Displays the active entries in the crypto engine SA database.

show crypto engine accelerator ring

Displays the contents of command and transmits rings for the crypto engine.

show crypto engine brief

Displays a summary of the configuration information for the crypto engine.

show crypto engine configuration

Displays the version and configuration information for the crypto engine.

show crypto engine connections

Displays a list of the current connections maintained by the crypto engine.

show crypto engine accelerator ring

To display the contents and status of the control command, transmit packet, and receive packet rings used by the hardware accelerator crypto engine, use the show crypto engine accelerator ring command in privileged EXEC mode.

show crypto engine accelerator ring [control | packet | pool]

Syntax Description

control

(Optional) Displays the number of control commands that are queued for execution by the hardware accelerator crypto engine.

packet

(Optional) Displays the contents and status information for the transmit packet rings that are used by the hardware accelerator crypto engine.

pool

(Optional) Displays the contents and status information for the receive packet rings that are used by the hardware accelerator crypto engine.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.1(3)XL

This command was introduced for the Cisco uBR905 cable access router.

12.2(2)XA

Support was added for the Cisco uBR925 cable access router.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII & AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ

This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

This command displays the command ring information.

If there is valid data in any of the rings, the ring entry will be printed.

Examples

The following example shows the command ring information:

Router# show crypto engine accel ring packet

PPQ RING:

cmd ring:head = 10 tail =10

result ring:head = 10 tail =10

destination ring:head = 10 tail =10

source ring:head = 10 tail =10

free ring:head = 0 tail =255

00000000 071A96C5

00000000 071A96C5

00000001 071A9465

00000001 071A9465

00000002 071A9205

00000002 071A9205

.

.

.

Related Commands

Command

Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator to zero.

crypto ca

Defines the parameters for the certification authority used for a session.

crypto cisco

Defines the encryption algorithms and other parameters for a session.

crypto dynamic-map

Creates a dynamic map crypto configuration for a session.

crypto engine accelerator

Enables the use of the onboard hardware accelerator for IPSec encryption.

crypto ipsec

Defines the IPSec security associations and transformation sets.

crypto isakmp

Enables and defines the IKE protocol and its parameters.

crypto key

Generates and exchanges keys for a cryptographic session.

crypto map

Creates and modifies a crypto map for a session.

debug crypto engine accelerator control

Displays each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Displays information about each packet sent for encryption and decryption.

show crypto engine accelerator sa-database

Displays the active entries in the crypto engine SA database.

show crypto engine accelerator statistic

Displays the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Displays a summary of the configuration information for the crypto engine.

show crypto engine configuration

Displays the version and configuration information for the crypto engine.

show crypto engine connections

Displays a list of the current connections maintained by the crypto engine.

show diag

To display hardware information for a router, use the show diag command in privileged EXEC mode.

show diag [slot]

Syntax Description

slot

(Optional) Slot number of the interface.

Command Modes

Privileged EXEC

Command History

Release

Modification

11.1 CA

This command was introduced.

11.2 P

This command was modified to update the example for PA-12E/2FE port adapter, PA-E3 port adapter, and PA-T3 port adapter.

11.3 XA

This command was made available for Cisco IOS Release 11.3 XA.

12.0(5)XQ

This command was enhanced and made available for the Cisco 1750 router.

12.0(7)T

This command was modified to add the example for the Cisco 1750 router.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII & AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ

This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.